We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Facebook was fined €1.2 million by the Spanish Data Protection Agency (‘AEPD’) for a number of infringements of the Spanish Data Protection Act.

The AEPD investigated Facebook to confirm whether it was complying with Spanish data protection law. It found that Facebook breached domestic law by failing to obtain users’ express consent to process sensitive data for advertising purposes and for collecting data without properly informing users how it would be used.

Facebook had been profiling users based on sensitive personal data such as religious and political beliefs, and then offering advertising based on those beliefs. Facebook, however, had not obtained express consent to use the data for those purposes, instead it had simply provided generic examples of the data it collected and for what purposes.

The AEPD also criticised Facebook for collecting the data of users when browsing third-party sites without making this clear, allowing users aged 13 to register with Facebook without obtaining the parent or guardian’s consent and retaining data longer than required for its original purpose.

The fine is one of a number that Facebook has received from European Data Supervisory Authorities this year.

Compare jurisdictions:Data Security & Cybercrime

"I find the newsfeeds to be extremely beneficial as a means of keeping up with changes in the law. I've made a regular practice of sharing a number of the items with members of our HR staff. Please keep up the good work."